6a61b68c31
Link to the "Secure live migration with QEMU-native TLS" document from other relevant guides, and small blurbs of text where appropriate. Blueprint: support-qemu-native-tls-for-live-migration Change-Id: I9c6676897d27254e2e16bf7e36a74bf9f3da3832 Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
51 lines
1.4 KiB
ReStructuredText
51 lines
1.4 KiB
ReStructuredText
==================
|
|
Security hardening
|
|
==================
|
|
|
|
OpenStack Compute can be integrated with various third-party technologies to
|
|
increase security. For more information, see the `OpenStack Security Guide
|
|
<https://docs.openstack.org/security-guide/>`_.
|
|
|
|
Encrypt Compute metadata traffic
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
**Enabling SSL encryption**
|
|
|
|
OpenStack supports encrypting Compute metadata traffic with HTTPS. Enable SSL
|
|
encryption in the ``metadata_agent.ini`` file.
|
|
|
|
#. Enable the HTTPS protocol.
|
|
|
|
.. code-block:: ini
|
|
|
|
nova_metadata_protocol = https
|
|
|
|
#. Determine whether insecure SSL connections are accepted for Compute metadata
|
|
server requests. The default value is ``False``.
|
|
|
|
.. code-block:: ini
|
|
|
|
nova_metadata_insecure = False
|
|
|
|
#. Specify the path to the client certificate.
|
|
|
|
.. code-block:: ini
|
|
|
|
nova_client_cert = PATH_TO_CERT
|
|
|
|
#. Specify the path to the private key.
|
|
|
|
.. code-block:: ini
|
|
|
|
nova_client_priv_key = PATH_TO_KEY
|
|
|
|
|
|
Securing live migration streams with QEMU-native TLS
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
It is strongly recommended to secure all the different live migration
|
|
streams of a nova instance—i.e. guest RAM, device state, and disks (via
|
|
NBD) when using non-shared storage. For further details on how to set
|
|
this up, refer to the
|
|
:doc:`secure-live-migration-with-qemu-native-tls` document.
|